Pinned topicCreate the same account id in multiple services

‏2012-10-09T09:05:29Z
|Tags:

Answered question
This question has been answered.

Unanswered question
This question has not been answered yet.

My TIM version is 5.1 fixpack11 and my customer need to create the same id for selected services at first initiate time.
For example:
Every AD servcies profile has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"
Every AIX services profile also has only one account : "CB_ADM"(Account ID) and Two default Groups : "CB_GROUP1" 、 " CB_GROUP2"

Let me explain more detail
There are over 500 servers which are Windows、AIX

We need to create 3 default account id and its groups when we add these servers as services in TIM.
Regarding to manuals, there are some ways to do this , for examples,
1. writing scripts in the provisioning policy
2. default values in provisioning policy
...etc

However, the ways in above are not the best way to archive this purpose.

Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.

Re: Create the same account id in multiple services

Because those accounts are created only in initial stage, I would use a script on those servers, maybe with powershell on Windows servers, to create these local admin accounts. I'm not an expert on scripting but would imagine you could run one script againts all of your Windows servers, not sure about AIX though.
Then in ITIM run reconciliation on those services and adopt those accounts to that one Person.

"...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
Rgds. YN.

Re: Create the same account id in multiple services

"...customer ask me why we can NOT use ITIM ?" The answer is... "Because it is NOT the best way."
TIM superior in the situation where the user has a role and based on the role some users get some accounts in some AIX machines, while some other users in other role do not. Your customer is NOT in this situation.
Anyway, back to my answer... you can put the script in the Person add Operational Workflow, which at the end, simplify your Provisioning Policy script.
Rgds. YN.

But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....

You have some servers (Windows/AIX) that needs administrative local users.
You have these servers defined as windows local / posix services in ITIM (or you are going to do so).

Now - to create an account on a service automatically involves 2 things:

1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).

When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.

The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).

Re: Create the same account id in multiple services

But I am not sure I understand your task correctly - so let me try to rephrase what I believe you are trying to do....

You have some servers (Windows/AIX) that needs administrative local users.
You have these servers defined as windows local / posix services in ITIM (or you are going to do so).

Now - to create an account on a service automatically involves 2 things:

1.identity policies - this is where you define the naming of you accounts - the default identity policy will use the preferred userid on the person entity
2.Automatic provisioning policy entitlement - this is best triggered using a role (dynamic/static).

When the actual provisioning is performed your creation will be performed using the "add" operation - so any post processing (e.g. mail with password to owner) can be performed.

The challenge is that ITIM has a rather strange way defining the provisioning policy entitlement - basically you cannot use the "service profile" entitlement if you are having special cases because these will be overridden by and service specific policies - so you will need to create a provisioning policy for any service anyhow... (this can be done using API).

In my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.

Re: Create the same account id in multiple services

In my understanding the goal here was first to create 3 local accounts, not one, to those 500 different servers. That's why I succested scripting. Forgot to mention about TDI, which perhaps would be better solution to carry out this initial task.

Right you are, I only ment that this one specific task would perhaps best be done outside ITIM. Afterwards ITIM would be used to provision and manage user accounts on those servers.
Many ways to skin the cat I suppose :)

I have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.

Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.

Considerations -

If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.

Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.

Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.

Re: Create the same account id in multiple services

I have to agree with Franz and yn2000 that this should be done via ITIM and more importantly, a clear solution needs to be designed and reviewed before you implement it.

Having said that, one alternative is to create a provisioning policy with automatic entitlements (Windows and AIX) to create your required IDs automatically. The entitlements should be the service profiles for AIX and Windows so that ALL new services would be covered when they were created. The provisioning policy membership would be a Role whose sole member would be the single person who owns all the accounts.

Considerations -

If the services that require the IDs already exist, creating this type of policy could adversely affect your performance while ITIM attempts to "catch up" with the provisioning.

Since you would be using Service profiles, ALL new services created under the same profile would be affected - you would not be able to exclude any.

Regarding the practice of having one person own hundreds/thousands of accounts - IMHO this is a BAD idea. It can result in nightmares when the person leaves the organization. What I believe to be best practices is to create "System Entities" (not human beings) to own the accounts. On the system entity you establish a human custodian or owner of the entity (you can do this by extending the custom person schema). Then, if the owner/custodian leaves, you simply have to change an attribute instead of the ownership of numerous accounts. This type of approach really needs to be brought up in the early discussions and planning for your IdM deployment, in order to get buy-in from the security Gods; otherwise, it may be an uphill battle.

I know that we can create ID automatically via provision policy once any service(HOST) to be added.
But...how can I set eruid and ergroup for 3 accounts at one time in the JavaScript ? Evenmore, there is 1 account will belongs to 4 groups in the OS.

Maybe some sample code is very helpful to me.
Thanks those who help me and advices.

Re: Create the same account id in multiple services

I know that we can create ID automatically via provision policy once any service(HOST) to be added.
But...how can I set eruid and ergroup for 3 accounts at one time in the JavaScript ? Evenmore, there is 1 account will belongs to 4 groups in the OS.

Maybe some sample code is very helpful to me.
Thanks those who help me and advices.

The first suggestion from yn is what you need to follow. You should create a custom attribute on the person object (call it erdefaultlogin or something like that) and set the value to the desired value during person creation. In the provisioning policies, just get the value for eruid from the person entity (sample code below):